复制代码 代码如下:

<?php

/*
[Discuz!] (C)2001-2009 Comsenz Inc.
This is NOT a freeware, use is subject to license terms

$Id: security.inc.php 16688 2008-11-14 06:41:07Z cnteacher $
*/

//如果没有设定 IN_DISCUZ ，则访问出错
if(!defined(\'IN_DISCUZ\')) {
exit(\'Access Denied\');
}

// 使用位移  $attackevasive 来设定 论坛防御级别 ，如果是 1 或者是 4 的话， 1=cookie 刷新限制 ， 4=二次请求
// 读取上次时间到当前存放cookies数组，并将现在时间放置cookies
// 将$_DCOOKIE[\'lastrequest\'] 不断加密 存放last访问时间到 lastrequest_cookies
if($attackevasive & 1 || $attackevasive & 4) {
$_DCOOKIE[\'lastrequest\'] = authcode($_DCOOKIE[\'lastrequest\'], \'DECODE\');
dsetcookie(\'lastrequest\', authcode($timestamp, \'ENCODE\'), $timestamp + 816400, 1, true);
}

//如果确认被攻击，则展示提示语 1
if($attackevasive & 1) {
if($timestamp - $_DCOOKIE[\'lastrequest\'] < 1) {
securitymessage(\'attachsave_1_subject\', \'attachsave_1_message\');
}
}

 
//如检查到 HTTP_X_FORWARDED_FOR 有以下 参数 ，将提示 使用代理
if(($attackevasive & 2) && ($_SERVER[\'HTTP_X_FORWARDED_FOR\'] ||
$_SERVER[\'HTTP_VIA\'] || $_SERVER[\'HTTP_PROXY_CONNECTION\'] ||
$_SERVER[\'HTTP_USER_AGENT_VIA\'] || $_SERVER[\'HTTP_CACHE_INFO\'] ||
$_SERVER[\'HTTP_PROXY_CONNECTION\'])) {
securitymessage(\'attachsave_2_subject\', \'attachsave_2_message\', FALSE);
}

//如果在限定的时间内访问多次，将判断为二次请求
if($attackevasive & 4) {
if(empty($_DCOOKIE[\'lastrequest\']) || $timestamp - $_DCOOKIE[\'lastrequest\'] > 300) {
securitymessage(\'attachsave_4_subject\', \'attachsave_4_message\');
}
}

 
//如果需要回答问题，则判断为8
if($attackevasive & 8) {
list($questionkey, $questionanswer, $questiontime) = explode(\'|\', authcode($_DCOOKIE[\'secqcode\'], \'DECODE\'));
include_once DISCUZ_ROOT.\'./forumdata/cache/cache_secqaa.php\';
if(!$questionanswer || !$questiontime || $_DCACHE[\'secqaa\'][$questionkey][\'answer\'] != $questionanswer) {

if(empty($_POST[\'secqsubmit\']) || (!empty($_POST[\'secqsubmit\']) && $_DCACHE[\'secqaa\'][$questionkey][\'answer\'] != md5($_POST[\'answer\']))) {
$questionkey = array_rand($_DCACHE[\'secqaa\']);
dsetcookie(\'secqcode\', authcode($questionkey.\'||\'.$timestamp, \'ENCODE\'), $timestamp + 816400, 1, true);
securitymessage($_DCACHE[\'secqaa\'][$questionkey][\'question\'], \'<input type=\"text\" name=\"answer\" size=\"8\" maxlength=\"150\" /><input class=\"button\" type=\"submit\" name=\"secqsubmit\" value=\" Submit \" />\', FALSE, TRUE);
} else {
dsetcookie(\'secqcode\', authcode($questionkey.\'|\'.$_DCACHE[\'secqaa\'][$questionkey][\'answer\'].\'|\'.$timestamp, \'ENCODE\'), $timestamp + 816400, 1, true);
}
}

}

/**
 * 输出被攻击提示语言，如果是ajax，展示一個错误層， 如果是請求， 則展示错误頁面
 * @param $subject
 * @param $message
 * @param $reload
 * @param $form
 * @return unknown_type
 */
function securitymessage($subject, $message, $reload = TRUE, $form = FALSE) {

$scuritylang = array(
\'attachsave_1_subject\' => \'频繁刷新限制\',
\'attachsave_1_message\' => \'您访问本站速度过快或者刷新间隔时间小于两秒！请等待页面自动跳转 ...\',
\'attachsave_2_subject\' => \'代理服务器访问限制\',
\'attachsave_2_message\' => \'本站现在限制使用代理服务器访问，请去除您的代理设置，直接访问本站。\',
\'attachsave_4_subject\' => \'页面重载开启\',
\'attachsave_4_message\' => \'欢迎光临本站，页面正在重新载入，请稍候 ...\'
);

$subject = $scuritylang[$subject] ? $scuritylang[$subject] : $subject;
$message = $scuritylang[$message] ? $scuritylang[$message] : $message;
if($_GET[\'inajax\']) {
ajaxshowheader();
echo \'<div id=\"attackevasive_1\" class=\"popupmenu_option\"><b style=\"font-size: 16px\">\'.$subject.\'</b><br /><br />\'.$message.\'</div>\';
ajaxshowfooter();
} else {
echo \'<html>\';
echo \'<head>\';
echo \'<title>\'.$subject.\'</title>\';
echo \'</head>\';
echo \'<body bgcolor=\"#FFFFFF\">\';
if($reload) {
echo \'<script language=\"JavaScript\">\';
echo \'function reload() {\';
echo \' document.location.reload();\';
echo \'}\';
echo \'setTimeout(\"reload()\", 1001);\';
echo \'</script>\';
}
if($form) {
echo \'<form action=\"\'.$_SERVER[\'PHP_SELF\'].\'\" method=\"POST\">\';
}
echo \'<table cellpadding=\"0\" cellspacing=\"0\" border=\"0\" width=\"700\" align=\"center\" height=\"85%\">\';
echo \'  <tr align=\"center\" valign=\"middle\">\';
echo \'    <td>\';
echo \'    <table cellpadding=\"10\" cellspacing=\"0\" border=\"0\" width=\"80%\" align=\"center\" style=\"font-family: Verdana, Tahoma; color: #666666; font-size: 11px\">\';
echo \'    <tr>\';
echo \'      <td valign=\"middle\" align=\"center\" bgcolor=\"#EBEBEB\">\';
echo \'     <br /><br /> <b style=\"font-size: 16px\">\'.$subject.\'</b> <br /><br />\';
echo $message;
echo \'        <br /><br />\';
echo \'      </td>\';
echo \'    </tr>\';
echo \'    </table>\';
echo \'    </td>\';
echo \'  </tr>\';
echo \'</table>\';
if($form) {
echo \'</form>\';
}
echo \'</body>\';
echo \'</html>\';
}
exit();
}

 
function ajaxshowheader() {
global $charset, $inajax;
ob_end_clean();
@header(\"Expires: -1\");
@header(\"Cache-Control: no-store, private, post-check=0, pre-check=0, max-age=0\", FALSE);
@header(\"Pragma: no-cache\");
header(\"Content-type: application/xml\");
echo \"<?xml version=/\"1.0/\" encoding=/\"$charset/\"?>/n<root><![CDATA[\";
}

function ajaxshowfooter() {
echo \']]></root>\';
}

?>